CVE-2022-41437

Vulnerability

The Billing System Project v1.0, developed by mayuri_k, contains a remote code execution (RCE) vulnerability in the /php_action/createProduct.php component. The script accepts file uploads without properly validating the file type or content, allowing an attacker to upload arbitrary files, including PHP web shells. The application does not restrict the uploaded file extension or check for malicious content. The vulnerable code path is accessible without authentication, as the product creation functionality is reachable via the /phpinventory/add-product.php page. Affected version: v1.0 as available on SourceCodester [1].

Exploitation

An attacker can exploit this vulnerability by sending a crafted HTTP POST request to /phpinventory/php_action/createProduct.php with a multipart/form-data payload containing a malicious PHP file (e.g., hackl.php) in the productImage field. The attack requires no prior authentication and no special network position; the attacker only needs network access to the target server. The exploit can be performed using any HTTP client (e.g., curl, Burp Suite). As demonstrated in Reference [1], the request includes the malicious PHP code (e.g., <?php phpinfo(); ?>) within the file upload. The server processes the upload and stores the file, allowing the attacker to then access the uploaded file via a web request to execute arbitrary PHP code on the server [1].

Impact

Successful exploitation grants the attacker remote code execution on the underlying web server. The attacker can execute arbitrary PHP commands with the privileges of the web server user, leading to full compromise of the application and potentially the host system. This can result in information disclosure, data tampering, denial of service, or further lateral movement within the network. The vulnerability has a severe impact on the confidentiality, integrity, and availability of the affected system [1].

Mitigation

At the time of publication, the vendor has not released a patched version or official advisory. The application may be end-of-life or unsupported, as it is a project from SourceCodester. The recommended mitigation is to restrict access to the /php_action/createProduct.php endpoint by implementing strong authentication and authorization controls, and to add server-side file upload validation (e.g., check file extension, MIME type, and content). Additionally, ensure the upload directory is not directly executable by the web server. Until a fix is available, consider disabling the product creation functionality if not required [1].